Cyber Law Journal

Can Hacking Victims Be Held Legally Liable?

Published: August 24, 2001

(Page 2 of 3)

Also vulnerable to a negligence claim would be the network service providers and hosting companies, said Radin. There would be no contract defense for these companies to fall back on with respect to the broker's individual customers for the simple reason that there is no contract between them. On the other hand, the potential legal warfare between the brokerage and the network providers would likely proceed under the terms of their business contracts.

To determine whether the corporate defendants are negligent, courts will look at how any losses could have been prevented. "A court is going to say it is negligent of you not to implement preventative measures if they are reasonably effective and affordable," said Radin.

A jury will have to decide, in fact, if the company could have taken preventative measures, said Radin. Trials will, therefore, be a battle of expert witnesses, she predicted. But, she added: "I think as technology increases-- as easy fixes become available -- it's more likely that courts will be unsympathetic" to companies that have not done their utmost to block hacker invasions. That is particularly true with respect to the Internet service providers which are in the best position to take system-wide precautions, she said.

Meanwhile, Raul of Sidley Austin, which represents major communication companies and firms doing business online, said that his clients "either are, or ought to be" worried about their legal liability for malicious hacks or inadvertent glitches.

In his firm's paper, Raul and his colleagues said that companies can seek to manage their legal risks by adopting state-of-the-art security measures suggested by industry groups and supporting federal laws aimed at strengthening data security in the health and financial fields.

"Does a company have controls in place to prevent unauthorized access and careless release of data," asked Raul. "Is the company training employees in information security?" Is it constantly assessing its vulnerability to intrusions or glitches? The answers are important because an aggressive plaintiff's lawyer is sure to ask who was the person or unit responsible for data security? If the defendant offers a weak response, said Raul, it will look "really bad."

uppose, Margaret Jane Radin of Stanford Law School wrote recently, that a Web site operated by a securities brokerage suffers a crippling attack by hackers. The ability of its customers to conduct trades is hampered for several hours, or even blocked entirely. Imagine, too, that on the day of the attack the stock market is volatile, and that many customers are trying unsuccessfully to buy or sell stocks in a flash.

Of course, hackers are easy to blame. But what about the companies that investors rely on to make trades? Are the brokerage firms and their network providers -- which failed to prevent the attack that harmed the site -- vulnerable to a second onslaught a nasty lawsuit from unhappy clients who lost money as a result of the shutdown?

Professor Radin isn't the only legal thinker posing this question. Another paper co-authored by two partners and a legal assistant at a major law firm, also considers whether companies that fail to take reasonable steps to protect their computer systems from malicious attacks or internal malfunctions are sitting ducks for lawsuits.

So far, lawyers say, the answer is unclear. There have been no reported court decisions discussing the issue of a company's liability for a hacker attack, according to Radin, an authority on intellectual property, electronic commerce and Internet law. But lawsuits in the near future are highly likely, she said.

In her paper, professor Radin examined the possible legal fallout from a "distributed denial of service" attack. This is a particularly troublesome form of digital mischief whereby hackers gain control of unsuspecting users' computers and use those distributed machines to flood a targeted site or service with junk messages, overwhelming the site and causing it to be inaccessible to legitimate customers. (Her study, "Distributed Denial of Service Attacks: Who Pays?" commissioned by Mazu Networks, Inc., a Cambridge, Mass.-based security company, is available on the company's site.)

Radin concluded that there is a "significant risk" that in the near future targeted Web sites will be held liable to their customers for harm arising from distributed denial of service attacks. In addition, she reckoned that there is another "significant risk" that the computer network companies that carry the hackers' attack messages -- such as ISPs and backbone network providers -- will be held accountable to the targeted Web sites, and perhaps to the sites' customers.

In the second paper, members of the cyberlaw practice group of Sidley Austin Brown & Wood, a national law firm, considered the growing legal danger faced by online service providers who suffer security breaches or the internal glitches that can compromise their customer's information.

The study, "Liability for Computer Glitches and Online Security Lapses," by Alan Charles Raul and Frank R. Volpe, partners at the firm, and Gabriel S. Meyer a summer associate and J.D. candidate at Cornell University, was published earlier this month in a Bureau of National Affairs newsletter on electronic-commerce and will be available shortly on the firm's Web site. It concludes that e-commerce players must "demonstrate [a] willingness and ability to implement aggressive security measures" if they wish to stave off security breaches, avoid government intervention and escape, or at least limit, damages in a lawsuit.